Pete Recommends – Weekly highlights on cyber security issues, October 31, 2020

Subject: Here’s how companies got your phone number and a way to prevent future calls
Source: USA Today

The exemptions to the registry include political campaigns, polls and surveys, debt collectors, charities, non-profits and companies you’ve done business within the past 18 months or sought to do business within the past three months.

Both political campaigns and charities often share or sell donor information to other campaigns, charities and non-profits.

From a business standpoint, there are so many automated platforms for setting appointments or making reservations that ask for your phone number. You can assume that the “terms of use” allow for a third-party to be involved and decide what happens with the data.

Subject: New Bill Aims to Stop President From Shutting Down the Internet
Source: Gizmodo

Two members of Congress have introduced legislation that would prevent the president from taking action to restrict the U.S. public’s access to the internet, the Preventing Unwarranted Communications Shutdowns Act (PUCSA).In an announcement, Representatives Anna Eshoo, a California Democrat, and Virginia Republican Morgan Griffith wrote that while they are aware the internet cannot be “shut down” due to its decentralized nature, the president can nonetheless take action to effectively cut off most Americans from the internet under §706(d) of the Communications Act of 1934. That act authorizes the president to override all rules and regulations pertaining to facilities or stations involved in wire or radio communications, cause their closure and “removal therefrom of its apparatus and equipment,” or simply take them over.

As the Brookings Institute noted, the president simply needs to declare a national emergency to invoke that authority. While this may be particularly disconcerting considering made-up national emergencies are something the Trump administration is very fond of declaring—and has repeatedly indicated it may go to extreme lengths to retain power regardless of the outcome of the 2020 elections—any future White House could abuse this authority.

Filed to: internet shutdown

Subject: NIST Needs Tech Providers Help Developing Zero-Trust Practice Guide
Source: Nextgov

The National Institute of Standards and Technology has laid out components of a comprehensive zero-trust system and is asking product developers to come together and build it.The end result will be the foundation of a practice guide in a series of special publications. Prospective participants will be evaluated on a first-come, first-serve basis according to a notice posted in the Federal Register Wednesday with kick off happening within the month.

“Collaborative activities will commence as soon as enough completed and signed letters of interest have been returned to address all the necessary components and capabilities, but no earlier than [30 days after the posting date],” the notice reads.

Entities with commercial offerings essential to zero trust—the buzzy premise that an organization’s internal network is not an inherently safe space—have an opportunity to demonstrate their wares in collaboration with NIST and other vendors, the notice said.

The popularity of a zero trust approach to security has grown along with the adoption of cloud services and an increase in network-connected devices. Demarcation of the perimeter is no longer clear and the persistence of insider threat has increased focus on the need to carefully manage user identity and limit access to sensitive data and operations.

But the term zero trust has also become a marketing opportunity, with companies eager to lay claim to its features.


Subject: USPS looks to monetize its mapping data
Source: FCW
The U.S. Postal Service wants to use its thousands of mail delivery vehicles that traverse the country every day to collect geospatial data it could provide to other agencies on an as-a-service basis.Lauren Lee, the Postal Service’s director of digital business services, said USPS is looking to leverage its vast mail delivery infrastructure for additional revenue streams. Geospatial address location data currently collected by its more than 220,000 mail vehicles is a significant part of that infrastructure, and a valuable resource that other agencies could use.“We know a lot about mapping,” Lee said in an Oct. 22 presentation hosted by the General Services Administration’s Technology Transformation Services. “We pick up data from the carriers as they’re traversing their routes in one-second breadcrumbs or geocode of locations. … Sometimes our carriers are in areas before mapping companies even know there are roads there.”

When fully developed, the service will join other USPS data-as-a-service offerings. USPS has been working with the FBI on a fingerprinting-as-a-service at over 100 post offices across the country, according to Heather Dyer, director of identity and access management at the USPS chief information security office.

The agency began that pilot in 2018. The program is aimed at identity verification for the public for background checks, visa applications and child adoptions. The USPS takes fingerprints at the post offices and passes them off to the FBI for processing. The service, said Dyer, has shortened a weeks-long process to hours, or even minutes.

Subject: COVID-19 clinical trial: real or fake? Learn how to tell the difference
Source: FTC Consumer Information

There are thousands of trials underway as companies race to find effective vaccines and treatments for COVID-19. Many of these research studies are legitimate, but some are not. So, if you’re thinking about volunteering for a COVID-19 trial, it’s important to know how to spot the real trials advancing medicine for everyone, versus the fake ones trying to steal your money and personal information.

If you’re interested in participating in a COVID-19 or other research study, here are some things to keep in mind: …

If you spot a trial that’s charging people to participate, or demanding your SSN or financial information during screening, be sure to tell the Federal Trade Commission.

Tagged with: imposter, scam

Subject: Adblockers installed 300,000 times are malicious and should be removed now
Source: Ars Technica

Adblocking extensions with more than 300,000 active users have been surreptitiously uploading user browsing data and tampering with users’ social media accounts thanks to malware its new owner introduced a few weeks ago, according to technical analyses and posts on Github.Hugo Xu, developer of the Nano Adblocker and Nano Defender extensions, said 17 days ago that he no longer had the time to maintain the project and had sold the rights to the versions available in Google’s Chrome Web Store. Xu told me that Nano Adblocker and Nano Defender, which often are installed together, have about 300,000 installations total.

Four days ago, Raymond Hill, maker of the uBlock Origin extension upon which Nano Adblocker is based, revealed that the new developers had rolled out updates that added malicious code.

Nano Adblocker and Nano Defender aren’t the only extensions that have been reported to tamper with Instagram accounts. User Agent Switcher, an extension that had more than 100,000 active users until Google removed it earlier this month is reported to have done the same thing.

Subject: Police are using facial recognition for minor crimes because they can
Source: CNet via beSpacific

CNet – Law enforcement is tapping the tech for low-level crimes like shoplifting, because there are no limits. But the tool often makes errors. “…The US has no federal regulations on facial recognition, leaving thousands of police departments to determine their own limits. Advocates say that’s a concern for civil liberties. While some members of Congress propose an indefinite nationwide ban on police use, other bills suggest it could still be allowed with a warrant, or they prevent only businesses from using it. Police often frame facial recognition as a necessary tool to solve the most heinous crimes, like terrorist attacks and violent assaults, but researchers have found that the technology is more frequently used for low-level offenses….

beSpacific Subjects: AI, Civil Liberties, Courts, Government Documents, Legal Research, Privacy
CNet topic

Subject: Ransomware Guide
Source: CISA

On September 30, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center released a joint Ransomware Guide, which is a customer centered, one-stop resource with best practices and ways to prevent, protect and/or respond to a ransomware attack. CISA and MS-ISAC are distributing this guide to inform and enhance network defense and reduce exposure to a ransomware attack:

This Ransomware Guide includes two resources:

  • Part 1: Ransomware Prevention Best Practices
  • Part 2: Ransomware Response Checklist
Taxonomy Topics Cybersecurity

Subject: Social Security Begins New Electronic Social Security Number Verification Service
Source: SSA
News Release SOCIAL SECURITY – Social Security Begins New Electronic Social Security Number Verification Service – The Social Security Administration has begun the initial rollout of its new electronic Consent Based Social Security Number (SSN) Verification (eCBSV) service. The agency is rolling out the service to selected participants through 2020, and plans on expanding the number of users in 2021.

“Our new electronic SSN verification service helps reduce synthetic identity fraud by comparing agency records with data provided electronically by approved participants,” said Andrew Saul, Commissioner of Social Security. “This is an important online service that helps us provide participants and their customers fast, secure, and more efficient SSN verifications.”

Posted in: Civil Liberties, Congress, Cybercrime, Cybersecurity, Internet Use Policies, KM, Libraries & Librarians, Privacy, Social Media